diff mbox series

xfs: fix maxicount division by zero error

Message ID 20190826163436.GO1037350@magnolia (mailing list archive)
State Superseded, archived
Headers show
Series xfs: fix maxicount division by zero error | expand

Commit Message

Darrick J. Wong Aug. 26, 2019, 4:34 p.m. UTC
From: Darrick J. Wong <darrick.wong@oracle.com>

In xfs_ialloc_setup_geometry, it's possible for a malicious/corrupt fs
image to set an unreasonably large value for sb_inopblog which will
cause ialloc_blks to be zero.  If sb_imax_pct is also set, this results
in a division by zero error in the second do_div call.  Therefore, force
maxicount to zero if ialloc_blks is zero.

Note that the kernel metadata verifiers will catch the garbage inopblog
value and abort the fs mount long before it tries to set up the inode
geometry; this is needed to avoid a crash in xfs_db while setting up the
xfs_mount structure.

Found by fuzzing sb_inopblog to 122 in xfs/350.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
---
 fs/xfs/libxfs/xfs_ialloc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Carlos Maiolino Aug. 27, 2019, 5:20 a.m. UTC | #1
Hi.

On Mon, Aug 26, 2019 at 09:34:36AM -0700, Darrick J. Wong wrote:
> From: Darrick J. Wong <darrick.wong@oracle.com>
> 
> In xfs_ialloc_setup_geometry, it's possible for a malicious/corrupt fs
> image to set an unreasonably large value for sb_inopblog which will
> cause ialloc_blks to be zero.  If sb_imax_pct is also set, this results
> in a division by zero error in the second do_div call.  Therefore, force
> maxicount to zero if ialloc_blks is zero.
> 
> Note that the kernel metadata verifiers will catch the garbage inopblog
> value and abort the fs mount long before it tries to set up the inode
> geometry; this is needed to avoid a crash in xfs_db while setting up the
> xfs_mount structure.
> 
> Found by fuzzing sb_inopblog to 122 in xfs/350.

The patch looks good, but maybe a comment is worth so we don't need to check the
git log to understand why we need to check ialloc_blks here?

> 
> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
> ---
>  fs/xfs/libxfs/xfs_ialloc.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/xfs/libxfs/xfs_ialloc.c b/fs/xfs/libxfs/xfs_ialloc.c
> index 1a14067aa4d4..5e95648c346c 100644
> --- a/fs/xfs/libxfs/xfs_ialloc.c
> +++ b/fs/xfs/libxfs/xfs_ialloc.c
> @@ -2811,7 +2811,7 @@ xfs_ialloc_setup_geometry(
>  			inodes);

Something like:


	/*
	 * Set the maximum inode count for this filesystem, being careful
	 * ialloc_blks is not zeroed due a corrupted sb_agblklog
	 */
	if (sbp->sb_imax_pct) {
	if (sbp->sb_imax_pct && igeo->ialloc_blks) {
>  		/*
>  		 * Make sure the maximum inode count is a multiple
>  		 * of the units we allocate inodes in.

The comment is just a suggestion anyway, you can add to the patch:

Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
diff mbox series

Patch

diff --git a/fs/xfs/libxfs/xfs_ialloc.c b/fs/xfs/libxfs/xfs_ialloc.c
index 1a14067aa4d4..5e95648c346c 100644
--- a/fs/xfs/libxfs/xfs_ialloc.c
+++ b/fs/xfs/libxfs/xfs_ialloc.c
@@ -2811,7 +2811,7 @@  xfs_ialloc_setup_geometry(
 			inodes);
 
 	/* Set the maximum inode count for this filesystem. */
-	if (sbp->sb_imax_pct) {
+	if (sbp->sb_imax_pct && igeo->ialloc_blks) {
 		/*
 		 * Make sure the maximum inode count is a multiple
 		 * of the units we allocate inodes in.